dcrat | 13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe
Size

1.3MB
MD5

34bde2a21525eacebe21f8c939a6e5b8
SHA1

9752d0f780769d1741cb009395437a9c4e5391e7
SHA256

13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861
SHA512

0996ebd5add18f43638ac2f414acb7a8b79f2e1531c616158051191a7a8587242109b3e196b6de90c1caa0e7f5eb8273e5e1ae94c2982482314c2a3526f8ea9f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2984	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019377-12.dat	dcrat
behavioral1/memory/2848-13-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2584-50-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2532-418-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/1940-479-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2020	powershell.exe
2400	powershell.exe
2012	powershell.exe
2304	powershell.exe
2008	powershell.exe
1384	powershell.exe
2212	powershell.exe
1560	powershell.exe
1636	powershell.exe
2460	powershell.exe
2236	powershell.exe
1468	powershell.exe
2232	powershell.exe
2292	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2848	DllCommonsvc.exe
2584	cmd.exe
2976	cmd.exe
1632	cmd.exe
2672	cmd.exe
2240	cmd.exe
2532	cmd.exe
1940	cmd.exe
1956	cmd.exe
1396	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	cmd.exe
2512	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
1548	schtasks.exe
2700	schtasks.exe
2908	schtasks.exe
2376	schtasks.exe
2276	schtasks.exe
1372	schtasks.exe
3064	schtasks.exe
2692	schtasks.exe
992	schtasks.exe
3004	schtasks.exe
2412	schtasks.exe
3028	schtasks.exe
1920	schtasks.exe
444	schtasks.exe
780	schtasks.exe
2392	schtasks.exe
588	schtasks.exe
3032	schtasks.exe
1320	schtasks.exe
2804	schtasks.exe
2768	schtasks.exe
1160	schtasks.exe
1620	schtasks.exe
1524	schtasks.exe
2872	schtasks.exe
2792	schtasks.exe
2596	schtasks.exe
2544	schtasks.exe
1992	schtasks.exe
1516	schtasks.exe
1792	schtasks.exe
2636	schtasks.exe
2944	schtasks.exe
1492	schtasks.exe
1632	schtasks.exe
1884	schtasks.exe
2524	schtasks.exe
1840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2848	DllCommonsvc.exe
2848	DllCommonsvc.exe
2848	DllCommonsvc.exe
2008	powershell.exe
2020	powershell.exe
1560	powershell.exe
2232	powershell.exe
2236	powershell.exe
1636	powershell.exe
2400	powershell.exe
1468	powershell.exe
2292	powershell.exe
1384	powershell.exe
2212	powershell.exe
2012	powershell.exe
2460	powershell.exe
2304	powershell.exe
2584	cmd.exe
2976	cmd.exe
1632	cmd.exe
2672	cmd.exe
2240	cmd.exe
2532	cmd.exe
1940	cmd.exe
1956	cmd.exe
1396	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	DllCommonsvc.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2584	cmd.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2976	cmd.exe
Token: SeDebugPrivilege	1632	cmd.exe
Token: SeDebugPrivilege	2672	cmd.exe
Token: SeDebugPrivilege	2240	cmd.exe
Token: SeDebugPrivilege	2532	cmd.exe
Token: SeDebugPrivilege	1940	cmd.exe
Token: SeDebugPrivilege	1956	cmd.exe
Token: SeDebugPrivilege	1396	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1948	2444	13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe	30
PID 2444 wrote to memory of 1948	2444	13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe	30
PID 2444 wrote to memory of 1948	2444	13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe	30
PID 2444 wrote to memory of 1948	2444	13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe	30
PID 1948 wrote to memory of 2512	1948	WScript.exe	31
PID 1948 wrote to memory of 2512	1948	WScript.exe	31
PID 1948 wrote to memory of 2512	1948	WScript.exe	31
PID 1948 wrote to memory of 2512	1948	WScript.exe	31
PID 2512 wrote to memory of 2848	2512	cmd.exe	33
PID 2512 wrote to memory of 2848	2512	cmd.exe	33
PID 2512 wrote to memory of 2848	2512	cmd.exe	33
PID 2512 wrote to memory of 2848	2512	cmd.exe	33
PID 2848 wrote to memory of 1636	2848	DllCommonsvc.exe	74
PID 2848 wrote to memory of 1636	2848	DllCommonsvc.exe	74
PID 2848 wrote to memory of 1636	2848	DllCommonsvc.exe	74
PID 2848 wrote to memory of 2232	2848	DllCommonsvc.exe	75
PID 2848 wrote to memory of 2232	2848	DllCommonsvc.exe	75
PID 2848 wrote to memory of 2232	2848	DllCommonsvc.exe	75
PID 2848 wrote to memory of 2460	2848	DllCommonsvc.exe	77
PID 2848 wrote to memory of 2460	2848	DllCommonsvc.exe	77
PID 2848 wrote to memory of 2460	2848	DllCommonsvc.exe	77
PID 2848 wrote to memory of 2292	2848	DllCommonsvc.exe	78
PID 2848 wrote to memory of 2292	2848	DllCommonsvc.exe	78
PID 2848 wrote to memory of 2292	2848	DllCommonsvc.exe	78
PID 2848 wrote to memory of 1560	2848	DllCommonsvc.exe	79
PID 2848 wrote to memory of 1560	2848	DllCommonsvc.exe	79
PID 2848 wrote to memory of 1560	2848	DllCommonsvc.exe	79
PID 2848 wrote to memory of 2212	2848	DllCommonsvc.exe	80
PID 2848 wrote to memory of 2212	2848	DllCommonsvc.exe	80
PID 2848 wrote to memory of 2212	2848	DllCommonsvc.exe	80
PID 2848 wrote to memory of 2400	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 2400	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 2400	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 1384	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 1384	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 1384	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 2020	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 2020	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 2020	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 1468	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 1468	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 1468	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 2012	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2012	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2012	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2008	2848	DllCommonsvc.exe	87
PID 2848 wrote to memory of 2008	2848	DllCommonsvc.exe	87
PID 2848 wrote to memory of 2008	2848	DllCommonsvc.exe	87
PID 2848 wrote to memory of 2236	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 2236	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 2236	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 2304	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 2304	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 2304	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 2584	2848	DllCommonsvc.exe	102
PID 2848 wrote to memory of 2584	2848	DllCommonsvc.exe	102
PID 2848 wrote to memory of 2584	2848	DllCommonsvc.exe	102
PID 2584 wrote to memory of 2844	2584	cmd.exe	104
PID 2584 wrote to memory of 2844	2584	cmd.exe	104
PID 2584 wrote to memory of 2844	2584	cmd.exe	104
PID 2844 wrote to memory of 1060	2844	cmd.exe	106
PID 2844 wrote to memory of 1060	2844	cmd.exe	106
PID 2844 wrote to memory of 1060	2844	cmd.exe	106
PID 2844 wrote to memory of 2976	2844	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe
"C:\Users\Admin\AppData\Local\Temp\13c4945bea13acfe1301ef83ed8238420e02dd621f287a0d3759c8a7a3005861.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1060
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        8⤵
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1936
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
        10⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2892
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        12⤵
        
        PID:716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1976
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
        14⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2972
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        16⤵
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1092
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        18⤵
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2064
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
        20⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1156
        
        C:\Users\Admin\Links\cmd.exe
        
        "C:\Users\Admin\Links\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Links\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Links\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac6ce76d7732dd83e388453d67ba8fed

SHA1
6ae480bebb0695d856c74817dd0583a47014ed50

SHA256
8b44780b1a4ff62abeaadc4ce1fba1ccf93f8c881da6c6e83fa3bf9e46985004

SHA512
235db9cce2e3f079b863a347a46f2c173cea8c4b25996066b327efa33a13c1d766f1efe429acbbacf3f8e6ab0d82882e8a368998d1cba92bdca56ae3156f57b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae2698b294d48c2a550694294b19bae0

SHA1
59fa9cddfb1ab1df9fe01aa03996041c4dba7c45

SHA256
8d725dc2c1e9ceeb3b800f1492d80a975f3f3985a360fe9499e0600f91d82cb0

SHA512
318c9b9aefe4b2b5ded0162c9a77303bfda465172704359dd94672dae331a20d6b6ae7f246dd2ecc97aa6bc940243f23c68bbae26306a4f2b8dbb3f01bdcdf83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6bb9387f59857c79fbeb4581e6d06f2

SHA1
49fdf69ab72cc002340518268670c0254d85b713

SHA256
5ad412111780eb847de622590f12afb35f5fa0340d300c2c53d7d7d51339ef3d

SHA512
7db04c263babeaf62d41bd31a399613156e3fadf068d9bdd526a94caac0a956cc548b69639f51c5b2cfd829d1b5efffdc64aa1001fbd26c2a8acc8b81592dd84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3db39127089024a8978792541aac6a7

SHA1
c60918d1b74d40969b9a0d4d339eb28a94cfc37f

SHA256
6edc413b553537c8dbd8ffb37dd2d7d05afb895fb3ff407a5f90d1cdcac5a53e

SHA512
5599a054e2143675a3415f9507935e4782cbc435958616d52bbb7126d808ed607a06050b4b1d3296b9d30c369011d25eece3ea1536a1f1d82ae1c21d973864d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b3aae88b6f3d7d4d3c203585186eab1

SHA1
61b4397b674a08abd4e857aa1c21278e712447a4

SHA256
e405f3b3f46ddb71d1f050e61b675c9d6efadabbfcdf3a7f365b346319a1b5b6

SHA512
49618bdae5e14f93ef431b611d3940c87a885b0f615d1864115a21a465ac4e49c983d75bbdd8d20753a402df12190bb5a2874e732b889b38886e55b7dfb4c57c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
839b53f21c289de0d7a63790b44b9ee9

SHA1
b2a2afafaebfe45a92927a2be544b8c248b3d0df

SHA256
06e0f002b9a54c67465b9039d76abc6d8e2ac01da7751cc34b70a899ce83580f

SHA512
6e0a0b1b8a3d4464258db627b2b4e2e968825998aa7f5b2fd438988921ebd18fa295a56bc5a528942daa817264fc336b15f2989c8bc34bbb4a822721b3fd30d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf1cf9320db4c43b5cd6ca89a36299fe

SHA1
3993122350e4cc47c920e6552513cbd7a3da9093

SHA256
2111e8125362acd823281a1115bcfbc4cb7b0aa0fedcaefde8c8fb1ae3354551

SHA512
ec6d93b104dc7a7a6f6fb2771de1852095cfcf23d82133aa138f95f7ded618eb9414d8d712c03585a374266a2088c5e8de15c392c7f018054fdfbdd5715d6f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
193B

MD5
852413a37052dd28129f7da5579579d8

SHA1
8f7ae748af7a8c262f0e34c170952f2eedfe8ce8

SHA256
fade8e1b94d1e898288f0a18df95e82e8c68d7d07ffa1bc2516e0e21fe2975ce

SHA512
9d7acca2ba7c1b6a26b5c51a3239fa012ca51ab010db2c89b0721bbe9736bd334d1ef5c2af64a908379320413f51f918478c1859ced67fc923c478363a5ba825

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
193B

MD5
7df4031994ce2e5b5ee6f1c2139d1783

SHA1
2c348121e497114cbf875479c77fcd50825df5f2

SHA256
da21e18a5f859bd67663912e1cb437485b05a947935f1611eee4bb761ae557db

SHA512
fe8120233755afd28d8e1c3ed863f24f6a14a6e92c39208b797eb7dcfecdf1b8e0697b05e6b56c18d16a31f47de30da052680a66f2f22a77b20bb39514f17d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
193B

MD5
e9c4b2a69ce7f5bba04478620b489d6a

SHA1
fea4c2c20145f59b9f26f7811bf0cc6743564e5b

SHA256
0c3298d2c11d79cf517cc3ee64fdcda6b42bd5ac15f1f181b1817f3252ff464f

SHA512
a86384a6fe2970de1f6485695b7562bfe98be45d4ca81e4af9b338036420db654b1905b803c932ac5df42204aadfd1c8ea26cbd187c593c84a376e9a8279b723

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAF6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDB28.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

Filesize
193B

MD5
14de9721664f8ff10f83ea4f18d5cb22

SHA1
162aa0dc331d93697411ef2e84e53612428f3e95

SHA256
8253ef6858ab58e1a89f5b8d4907f681bc45590e11b2f2c3bae5c819dac7e8e9

SHA512
228e370b5213a168e99b91eaac3b28fc4a63507dc5b66f9072c75a34023d04aafc6c55fd236313d962dcf5d229ac1d9dd795eb7dcb9cbc976ec96dcf934b9703

Download Submit
C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat

Filesize
193B

MD5
92fd291bd816c8101502aca765750f9b

SHA1
f1c037d72ad631abdc89022337cc5b6ac0235e49

SHA256
347d5e4d38b8adb16327c9103b67447abda2e4b2358d872976b14c12dca27999

SHA512
b76b2a5b03645db7f14b2aa76be030c5d580c85087a0913b7bfe539a769c88939879e91353fe072e65481a8f7e832d9a11efad69287f37a6b58ea3b1130f8158

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
193B

MD5
0fa261b60c829971469dbf3ea0f8e69b

SHA1
7520ef39eee20be539c4c9adcc9aabfa5a302f4e

SHA256
ff85fb950c345fe7dc2cee278196d4f383974e61025ba2cc6dc71a5d08f7f80a

SHA512
63b5382dd32140cd79d228b9e91beed47dd5b742e08f94b58e3384b07f42b82f7d0d08db8dd3a0e693c6b65739b29de268f99b8d99412e5f9dd2d7b9ea5c64fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
193B

MD5
00714fca503e428ea3ca0bd16be8466c

SHA1
0ae31933d25b4e48c4949c965490bc4e6d7b83d1

SHA256
6b129156959f48cc80c19a01d61043eb827a1734a8e3caa727e01faa430c7d46

SHA512
baedaa160dd82edfe7ca9b8c7f6abf20c85e9472998c403c09545cd24265714a2f0473e802df723607f2220556d73d77618254b5dcf8ace10b0eba642578884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

Filesize
193B

MD5
4bb14a436162063926c4bfd68a831575

SHA1
bd892f5ce7b38a4162e1d5bdfa0809f99b7f23a3

SHA256
38c1b8293be14f3994c71869681d5053ac15ba49a66bbbfecc9421a3f7b490a8

SHA512
bbb2d66b40b33058b4a06c7642f50ee6f63d8141d3a82ceb80cc9afaf15584f7ae69a72425de474f92f6148bc748afebef603d0a4e509eb12c7aa5200aab77ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c310bb4e3b96eef714f4bb2784d98c26

SHA1
5c66566a04824cb896ad3de3f31b3881e9caa2cc

SHA256
69a7a695117dfed0b1971383376fe16421275424efd49819fdb390477b0b3314

SHA512
94535ffc428dc20dc29ee68def2fb4d053cae24e7f4606cad130ccb3629a8878385f67d7e3e20e5b9bf7fc33f488fe0ee1de0da414ae44dcdabb37efd66f36e4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1940-479-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1956-539-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2020-96-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2020-94-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2532-418-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2532-419-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2584-50-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2672-299-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2848-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2848-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2848-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2848-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2848-13-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2976-180-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download